SSL Server Certificate - shawfdong/hyades GitHub Wiki
UCSC is now participating in the InCommon Certificate Service, which entitles the campus to unlimited digital certificates[1]. Here is how to generate an SSL/X.509 certificate for a web server, e.g., maia.ucsc.edu.
NOTE all major web browser vendors have made announcements about depreciating support for SHA1 in browsers and moving to SHA256[2]. Starting from October 2014, InCommon issues SHA256 certificates. This guide is updated to use SHA256 (SHA2).
Generate a CSR (Certificate Signing Request):
I use the following bash script (req.sh)[3]:
#!/bin/bash ### certificate request if [ $# -ne 1 ] then echo "Usage: $0 host" exit 1 fi openssl req \ -new -newkey rsa:2048 -sha256 -nodes \ -subj "/C=US/ST=California/L=Santa Cruz/O=University of California, Santa Cruz/CN=$1.ucsc.edu" \ -keyout $1.key -out $1.csr openssl req -in $1.csr -noout -text
To generate a CSR for maia.ucsc.edu, I run:
$ ./req.sh maia
which will produce two files: maia.key (the private key) and maia.csr (the CSR).
Go to https://ucsc.service-now.com/, and open a ticket for SSL Certificate Request. After a few days, the signed certificate (maia_ucsc_edu.cer) will arrive in an email.
The signed certificate actually packs 3 certificates, in the order of:
- AddTrust External CA Root
- USERTrust RSA Certification Authority
- InCommon RSA Server CA
- maia
- maia
- InCommon RSA Server CA
- USERTrust RSA Certification Authority
- AddTrust External CA Root
Upload maia.key (the private key) and maia_chain.crt (the certificate) to /etc/ssl/ on the server maia.ucsc.edu. The two files should be readable only by root.
# chown root:root maia_chain.crt maia.key # chmod 400 maia_chain.crt maia.key
Add the following lines to the configuration file of nginx (/etc/nginx/conf.d/maia.conf):
ssl_certificate /etc/ssl/maia_chain.crt; ssl_certificate_key /etc/ssl/maia.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
The above procedure works for most servers. However, it won't work for the Huawei Universal Distributed Storage system, which has both yun.ucsc.edu and *.yun.ucsc.edu as its domain names. The Huawei Universal Distributed Storage system calls for a certificate with SubjectAltName (a SAN certificate). SubjectAltName (Subject Alternative Names or SAN) is a X509 Version 3 (RFC 2459) extension to allow an SSL certificate to specify multiple names that the certificate should match. SubjectAltName can contain email addresses, IP addresses, regular DNS host names, etc[4].
Create an OpenSSL configuration file that enables subject alternative names (yun.cnf):
[ req ] default_bits = 2048 default_keyfile = yun.key distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = California localityName = Locality Name (eg, city) localityName_default = Santa Cruz organizationName = Organization Name (eg, company) organizationName_default = University of California, Santa Cruz commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = yun.ucsc.edu [ v3_req ] subjectAltName = @alt_names [ alt_names ] DNS.1 = yun.ucsc.edu DNS.2 = *.yun.ucsc.edu
Generate private key & CSR:
$ openssl req \ -new -newkey rsa:2048 -sha256 -nodes \ -subj '/C=US/ST=California/L=Santa Cruz/O=University of California, Santa Cruz/CN=yun.ucsc.edu' \ -out yun.csr -config yun.cnf
which will produce two files: yun.key (the private key) and yun.csr (the CSR).